Hey Joe. Do you know where we keep the explosives?

Collaboration is an important element of business productivity. But it’s sometimes too easy to set up methods for sharing files between employees in different geographical locations, putting potentially sensitive information at risk of being unexpectedly found and abused. In this example, some pretty chilling corporate information was exposed in what looks like a simple matter of misconfigured file servers, probably used for collaboration.

Allied-Horizontal Wireline Services (AHWS) performs technical activities at oil drilling sites, sometimes using explosive charges at drill sites. Recently, a security researcher discovered what was essentially a publicly accessible online file storage server owned by AHWS, which clearly was not secured properly, allowing unauthorized access from the Internet to various data files stored on the server.

Let’s consider how exposed routine business information can lead to risks

Among the data discovered by the researcher were: employee login information, client contract documents and information about the storage locations where the company keeps explosives used in operations.

Obviously, this isn’t a good situation. Whether an opportunistic individual stumbles on this kind of data, or a skilled attacker targets the organization and finds it through routine research, the exposure of information about the explosives could have led to physical theft, extortion, sabotage or even terrorism.

Fortunately, in this case, when the researcher informed the organization, they took swift action to secure the storage server.

It’s Management’s responsibility to make sure information security risks are analyzed from all angles

So, think about the kinds of information your employees share routinely, and where that information is stored. While information may not seem sensitive at first glance, businesses need to step back and look at risks that could arise from inadequate security practices. Then Management should issue policies on how that information needs to be secured to mitigate those risks.